Quantum Cryptography: Security Criteria Reexamined 
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We find that the generally accepted security criteria are flawed for a whole class of protocols for 
quantum cryptography. This is so because a standard assumption of the security analysis, namely 
that the so-called square-root measurement is optimal for eavesdropping purposes, is not true in 
general. There are rather large parameter regimes in which the optimal measurement extracts 
substantially more information than the square-root measurement. 
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I. INTRODUCTION 

All practical implementations of protocols for quantum 
cryptography have to deal with the unavoidable noise in 
the transmission lines, and possibly the intervention of an 
eavesdropper, that degrade the correlations in the raw- 
key data of the communicating parties — Alice and Bob. 
They then face a double task: First, they must establish 
how much Eve, the evildoing eavesdropper, can possibly 
know about their data; and second, they must extract 
a secure noise-free key sequence from the insecure noisy 
raw data. 

The second task of key generation is solved by ex- 
ploiting the findings and methods of classical informa- 
tion theory, in particular the lesson of the seminal work 
by Csiszar and Korner pj. They demonstrated that Al- 
ice and Bob can always generate a secure key, provided 
that the mutual information between them exceeds the 
mutual information between either one of them and Eve. 

The first task of determining how much Eve knows thus 
amounts to figuring out the maximally attainable mutual 
information between her and either Alice or Bob. There 
are two different, but equivalent, lines of reasoning that 
one can choose to follow, depending on how one pictures 
the communication between Alice and Bob, and Eve's 
tampering with it. 

One scenario is that of the 1984 protocol by Bennett 
and Brassard (BB84, 2]), in which Alice sends quantum- 
information carriers to Bob through an appropriate, au- 
thenticated quantum channel. Eve intercepts each carrier 
in transmission and keeps an imperfect copy, obtained by 
operating a quantum-cloning machine, before forwarding 
the carrier to Bob. The quest is then for the best cloning 
machine — best for this purpose — in conjunction with 
the best way of extracting information from the clones. 

The other scenario is that of the 1991 protocol by Ek- 
ert (E91, 0), in which a source distributes entangled 
pairs of carriers to Alice and Bob, who make statistically 
independent measurements on them, thereby effectively 
establishing a quantum channel between themselves. Eve 
is given full control of the source. She keeps a quantum 
record of what is sent in the form of auxiliary quantum 
systems, usually termed ancillas, that she entangles with 



the paired carriers. Here the quest is for the best ancilla 
states in conjunction with the best way of extracting in- 
formation from the ancillas. 

In lack of superior alternatives, the standard analy- 
sis of protocols of BB84 type invokes unproven assump- 
tions about optimal cloning machines; see, for example, 
Refs. 0,O| and the recent paper by Acin et al. Like- 
wise, there is a common assumption in the analysis of 
E91-type protocols, namely that the so-called square-root 
measurement (SRM, .7]) is optimal for Eve's processing 
of the ancillas; see the recent paper by Liang et al. 
for example. The established equivalence of the BB84 
and E91 scenarios @, and the fully equivalent security 
criteria thus found, is strong circumstantial evidence that 
these assumptions — about Eve's best intercept strategy 
and her best way of processing the ancillas, respectively 
— are equivalent as well. 

It is the objective of this article to demonstrate that 
the SRM is not optimal for a whole class of quantum 
cryptography protocols, the tomographic protocols of 
Refs. yj [l(|; it may very well not be optimal for other 
protocols, too. The equivalence stated above then implies 
the well-founded conjecture that there are also better in- 
tercept strategies than those usually regarded as best. 
We offer some remarks about the connection of this work 
with intercept strategies in the Appendix. 



II. THE PYRAMID OF ANCILLA STATES 

We build on the work of Ref. , where the protocols 
are phrased as generalizations of the E91 scenario to N 
letter alphabets (N — 2,3,...), The source controlled 
by Eve would emit pairs of qubits for N = 2, pairs of 
qutrits for N — 3, . . . , pairs of qunits in the general 
case. After everything is done and said, Eve knows that 
her ancilla is in the state described by ket \Ek) if Alice 
obtains value k for her qunit of the respective pair (with 
k = 0,1, . . . , N— 1). Since there is a common (real) angle 
between every pair of ancilla states, 

(E k \E l ) = X + (l-X)6 M = {If^} 



r -r 1 + NrxSki 
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FIG. 1: Pyramid geometry for N = 3. The ancilla kets \Ek), 
of unit length, are the edges of the ancilla pyramid. Its shape 
is determined by the parameter A of 0, the cosine of the 
acute angle between any pair of edges. The height ket |-H") 
of @ points from the tip of the pyramid to the center of 
its base; its length is y/¥o- The kets |^fc) — \H}, of length 
VI — ro, point from the center of the pyramid base to its 
corners. The SRM kets \e-k) of of unit length, define 
the SRM pyramid, which has right angles between its edge 
kets. The SRM pyramid is wider than, but not as high as, 
the ancilla pyramid. 

the TV ancilla kets can be regarded as the edges of an N- 
dimensional pyramid 

E2; see Fig. □ for an illustration of 
the case of N = 3. The average ancilla ket 

N-l 

l*) = ^£l**> ( 2 ) 

points from the tip of the pyramid to the center of its 
(N — l)-dimensional base [12], so that the length of if), 

J (H\H} = ^/tq , is the height of the pyramid. The pyra- 
mid volume is given by (l/N\)(Nr ) 1 / 2 (Nri) f - N - 1 V 2 , it 
is largest for A = 0, ro = r% = l/N when the pyramid is 
a corner of a A^-dimensional cube. 

Geometry restricts A to the range — 1/ (N — 1) < A < 1, 
where both limits correspond to degenerate pyramids 
that have no A^-dimensional volume. For A = 1, we 
have a single ancilla state and the pyramid is just a 
line, a pyramid of unit height and no base; and for 
A = — l/(N — 1) we have linearly dependent ancilla kets 
that span an (TV — l)-dimensional subspace, so that the 
pyramid has no height. In the context of quantum cryp- 
tography, however, only nonnegative A values are rele- 
vant, for which rg > r±. In other words, the pyramids of 
interest are acute, in the sense that the common angle 
between each pair of their edges is acute. 



Alice gets each k value with probability l/N, so that 

N-l 
k=0 

is the statistical operator for Eve's ancillas. The height 
ket | if) of Q is eigenket of p to eigenvalue ro and all 
kets orthogonal to |ff) are eigenkets to the (N — l)-fold 
degenerate eigenvalue n = r — A = (1 — X)/N. 

The N kets \E k ) - \H), each of length y/l - r = 
y/ (N — l)ri, point from the center of the ancilla-pyramid 
base to its corners. They span the (N — l)-dimensional 
subspace to eigenvalue r\. 

III. WHICH EDGE OF THE PYRAMID? 

A. The pretty good square-root measurement 

Eve extracts information out of p with the aid of a gen- 
eralized measurement, a positive-operator-valued mea- 
sure (POVM), specified by a decomposition of the iden- 
tity in the iV-dimensional ancilla space into M nonnega- 
tive operators, 

M-l 

1 = H Pm ' Pm - ' ( 4 ) 

m=0 

The mutual information between Alice and Eve, 
N-l M-l 

i = pnm lo &> " m > ( 5 ) 

n=0 m=0 Pn-P-m 

is then computable from the joint probabilities 

Pnm = — (J5n|P m |^ n ) (6) 

and their marginals 

M-l N-l 

Pn- — ^ t Pnm — , P m = ^ ] Pnm ■ (7) 

m— n— 

For convenient normalization, the logarithm in 101 is 
taken to base N , so that 7 < 1 with the maximum 
achieved for uniform perfect correlations, that is for 
M = N and p nm = 5 nm /N. 

The POVM for the SRM is specified by setting M = N 
and 

P m = (Np)- 1 / 2 \E m )(E m \{Np)- 1 ' 2 = \e m )(e m \ (8) 
with 

K) = {\E m )-\H))^ + \H)-±=. (9) 

The resulting joint probabilities are 

1 2 1 

Pnm = j-; \{E n \e m )\ = — [r]i + (r)o - r]i)6 nm ] , (10) 



3 



j(SRM) 




FIG. 2: Mutual information between Alice and Eve if Eve 
performs the square-root measurement. The curves refer to 
N = 2, 3, 5, 10, 20, and 100, and the plot covers the range 
< A < 1 that is relevant for quantum cryptography. 

where 

s/Vo - Vm = V^n and rj + (N - 1)771 = 1 . (11) 

We note that the SRM thus associated with the ancilla 
pyramid happens to be a standard von Neumann mea- 
surement, not a POVM proper, because the projectors 
in JSJ are pairwise orthogonal, tr {P m P m >} = 5 mm '- The 
mutual information acquired by performing the SRM, 

j(srm) = m i ogjv(JV% ) + (N- 1)77! \og N (N m ) , (12) 

is shown in Fig. H for N = 2,3, 5, 10, 20, 100. 

B. Better than pretty good 

Whereas the SRM is known to be "pretty good" as 
a rule it is also known that it does not always op- 
timize the mutual information. In particular, Shor has 
pointed out that there are superior POVMs for N = 3 
and some A < 0, and has conjectured that there is also 
a A > range in which other POVMs could be better 
[l4| . Shor's explicit example for A < is interesting in 
its own right but does not seem to have any bearing on 
the security analysis of quantum-cryptography protocols. 
By contrast, the A > examples reported below, are of 
immediate relevance, as they invalidate, at least partly, 
established security criteria. 

Consider the one-parametric family of POVMs defined 
by M = N + 1 and P m = |e TO )(e m | with 

m<N: K)=(\E m )-\H))^ + \H)-±=, 



m = N: \e N ) = \H)J , (13) 

y r 

where < t < 1. The SRM kets of © obtain for t = 1. 



FIG. 3: Mutual information for the POVM of JHJ relative 
to that of the SRM. For N = 10, the plot shows the ratio 
of /(T)//(SRM) ag a function of y fo r A = 0.9,0.7,0.5,0.3 

(solid lines) and for A = 0.8,0.6,0.4 (dashed lines). The left 
end (T = 0) refers to the SRM, the right end (T = 1) to the 
MUD. For A = 0.77276 (dash-dotted line), both give the same 
mutual information. 

For t < 1, the measurement pyramid, which has the 
kets |eo), . . .Je^r-i) for its edges, has the same base 
area as the SRM pyramid, but is of smaller height and 
therefore obtuse. Since the angle between any such given 
|e m ) and the ancilla kets \En) with n ^ m increases as 
t decreases from t = 1, the sector of m < N will have 
increased mutual information. But this comes at a price: 
When Eve finds |ejv) cx she has no clue about Alice's 
value; the sector to = V is inconclusive and provides no 
contribution at all to the mutual information. Accord- 
ingly, the optimal choice of t is such that the increase 
of mutual information in the m < N sector is balanced 
against the increase in the probability of the inconclusive 
result; this probability equals (1 — i 2 )ro. 

For t = ■s/rx/ro, the POVM specified by (H2J) is the 
"measurement for unambiguous discrimination" (MUD, 
7]), for which (_E„|e m ) = if n ^ to < N, so that 
there are perfect correlations, and thus full mutual in- 
formation, in the to < N sector. The cost for this per- 
fection is, however, so high that the MUD never max- 
imizes the mutual information, although it can outper- 
form the SRM. The optimal choice for t is always in the 
range J ri/ro < t < 1. This observation is illustrated 
in Fig. for N = 10 and various values of A, includ- 
ing A = 0.77276, for which the MUD and the SRM give 
the same mutual information. The plot shows only the t 
range of interest, conveniently re-parameterized in terms 
of T, a scaled version of t, introduced in accordance with 

t = 1 -T + TVn/ro. (14) 

Thus, T = refers to the SRM, and T = 1 to the MUD. 
The mutual information for the POVMs specified by 
is given by 

T frp\ - , 

I{T) = 770 \og N _ — — 
770 + (N - l)r]i 
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FIG. 4: Ratio of the maximal mutual information 7 ma x and 
the SRM value /( SRM ), for N = 3, 5, 10, 20, 100, as a function 
of A. 
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where 



'/o 



(V% - Ty/^n) 2 , 771 = (1 - T)V 



(15) 



(16) 



are the T dependent versions of 770, 771. For ancilla pyra- 
mids with a large volume, < A < (3— 4/JV)/(JV— 1) = A, 
the maximum of I(T) obtains for T = 0, which is to say 
that the SRM is optimal in this range of small A values. 
By contrast, for ancilla pyramids with a rather small vol- 
ume, A < A < 1, the maximum of I(T) is reached for 
T = 1 — (y/r)o/r)i — 1)/(N — 2), that is when the ar- 
guments of the two logarithms in l|15l) equal N — 1 and 
1/(N—1), respectively. Then, the measurement pyramid 
is obtuse. 

In summary we have 



IV. SUMMARY AND DISCUSSION 

In summary, there are POVMs that outperform the 
SRM for A > A, and we know the optimal POVM of the 
sort defined by (| 1 3|1 quite explicitly. We are, in fact, quite 
sure that it is the global optimum because an extensive 
numerical search failed to find any better POVM. 

A first search covered a large class of POVMs that re- 
spect the geometry of the ancilla pyramid: We took pa- 
rameter t to be complex; we rotated around the symme- 
try axis specified by ket and we considered weighted 
sums of several such POVMs, with different t parame- 
ters and different rotations. For all of the many N and 
A values, for which the numerical investigation was per- 
formed, the optimal POVM was always of the kind de- 
scribed above. 

A second search, not restricted by geometrical or other 
constraints, confirmed these findings. It used the numeri- 
cal method of Ref. 0] , which is a fix-point iteration that 
converges monotonically toward the optimal POVM. 

We note further that the large relative difference shown 
in Fig. 0] occurs where both 7 max and /( SRM ) are small, 
and so the absolute difference is rather small (see the 
figure in Ref. [ill). Therefore, the SRM threshold values 
given in Table I of Ref. |8( are quite good approximations 
for the true threshold values, as shown by the numerical 
values in Table HJ 

The "disturbance" values listed in this table are the 
quantities denoted by D ^ in Ref. Q and by 1 — /3o in 
Ref. respectively. There is no difference for N = 2, of 
course, but for all N > 2 the true threshold is noticeably 
lower than the SRM threshold. In addition to this shift 
of the threshold, there is also a reduced efficiency inside 
the Csiszar-Korner regime (below the threshold) and this 
must be taken into account when extracting the secure 
key sequence from the noisy raw data. Fortunately, how- 



U = max I(T) 



(17) 



j(srm) fJTg)ifo<A<A = 



(1-A) 



N — 1 
N — 2 



3N-4 
N(N — 1) : 



\og N (N — 1) if A < A < 1. 



This is our central result. 

For A values that exceed the threshold value of A sub- 
stantially, the optimal POVM from the family 1)1 3|l gives 
significantly more mutual information than the SRM. 
This can be seen by plotting the ratio l m£0t //' SRM ' as 
a function of A; see Fig. 0] The A — > 1 limit, 



/(SRM) 



N/2 
N-2 



ln(N - I) as A -> 1, (18) 



shows that the optimal POVM provides much more in- 
formation than the SRM if N is large, and then the range 
< A < A ~ 3/N is small in addition. 



TABLE I: Threshold values for the disturbance below which 
the Csiszar-Korner theorem ensures that a secure key can 
be extracted from the noisy raw data. The second column 
gives the critical disturbance, that is (N - 2) 2 /[(N - 2) 2 + N], 
above which the SRM is optimal, as implied by Eq. H7) . The 
third column repeats the values of Refs. [f| and p|, where 
Eve extracts information with the aid of the SRM. The true 
threshold values of the fourth column obtain for the optimal 
POVM. 
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ever, almost all of the practical quantum cryptography 
scheme presently implemented use qubits (N — 2), and 
then the SRM is optimal. Also, the optimal POVMs have 
no bearing on the threshold for classical advantage dis- 
tillation la, llOfl , because the SRM remains optimal in the 
relevant limit, even for coherent eavesdropping attacks 

m 

In the spirit of Shor's investigation of obtuse pyra- 
mids, the eavesdropping procedure presented here can be 
viewed as a quantum communication channel, in which 
Alice transmits nonorthogonal and equally distributed 
signal states to Eve. The amount of information about 
the sequence of states sent by Alice, maximized over all 
possible POVMs, is then the accessible information of 
this quantum channel. Therefore, the maximal mutual 
information l|17|l between Alice and Eve gives us also this 
accessible information for < A, which supplements, for 
N = 3, Shor's A < result. 
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APPENDIX: INTERCEPT ATTACKS 

Here are a few remarks about the connection with in- 
tercept attacks on qunits sent through an authenticated 
quantum channel. We make use of the notational con- 
ventions of Ref. without explaining them anew, and 
refer to Eq. (12), say, of Ref. by (0-12). 

The geometry of the unnormalized ancilla states 
|-^fc7^) * s completely determined, for a given m value, by 
the inner products of Eq. (0-6), and Eq. (0-7) states 
the transformation law between ancilla states to different 
m values. It follows from this equation that the k index 
of \E^) is analogous to that in Imfe), and the I index 
to that in \rai). Therefore, it is expedient to regard the 
l-Bjy )'s as the kets of two-qunit states that are super- 



positions of basis kets of the |rafcmz) kind. They then 
acquire the strikingly simple explicit form 



\ E kf) = W) 6kl ^W + l TOfeTO ')]v 



(A.l) 



where 



= 'y ^TOfcmfc) (any m value) (A. 2) 



is the maximally entangled state that is conjugate to 

of Eq. (0-2). This ansatz for l-E^; ) 1S consistent with 
Eq. (0-6) if the complex amplitudes a, b obey 



N 



= 0o 



N- 1 

N 



01 



\b\ = N0 X 



(A.3) 



but no other restrictions apply, so that a = y/ fio — 0i, 
b = iy/Nfii is a permissible choice. 

The entangled pure state 1$) of Eq. (0-5) that is pre- 
pared by Eve is then of the compact form 



|*) = |'012'034> tt + 1^13^24)^! 



(A.4) 



where qunit 1 is sent to Alice, qunit 2 is sent to Bob, 
and qunits 3 and 4 make up Eve's ancilla. We note that 
this is the generic form of hp) because all alternatives 
are obtained from this PP) by unitary transformations 
on the ancilla. 

Now, the "asymmetric universal quantum cloning ma- 
chines" ^| j generalizations of the symmetric ones intro- 
duced by Buzek and Hillery that are employed in 
Refs. (4], for the analysis of intercept attacks on the 
qunit in transmission from Alice to Bob, are character- 
ized by a four-qunit state of the form l)A.4|) . The resulting 
states of the clone- anticlone pair are thus fully analogous 
to the ancilla states lE^ 1 ) in (|A.1(I . Of those, the ones 
with k 7^ I are orthogonal among themselves and orthogo- 
nal to those with k = I, and the latter form the pyramid 
of ancilla states described in Sec. [H] Accordingly, Eve 
can extract more information if she applies the optimal 
POVM of Sec. IIII Bl to the clone-anticlone pair, rather 
than submitting them to the usual SRM. 
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